Skip to content

Commit d1a9980

Browse files
authored
ci(release): sign artifacts with cosign keyless signing (#61)
Add cosign signing to GoReleaser config to produce a sigstore bundle (checksums.txt.sigstore.json) alongside each release. Update the release workflow with id-token:write permission and sigstore/cosign-installer so signing uses GitHub's OIDC token without any managed keys.
1 parent d6df21b commit d1a9980

2 files changed

Lines changed: 14 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ on:
77

88
permissions:
99
contents: write
10+
id-token: write
1011

1112
jobs:
1213
release:
@@ -29,6 +30,9 @@ jobs:
2930
config: cliff.toml
3031
args: --latest --strip header --output CHANGELOG.md
3132

33+
- name: Install Cosign
34+
uses: sigstore/cosign-installer@v4.1.0
35+
3236
- uses: goreleaser/goreleaser-action@v6
3337
with:
3438
version: "~> v2"

.goreleaser.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,16 @@ archives:
2626
checksum:
2727
name_template: "checksums.txt"
2828

29+
signs:
30+
- cmd: cosign
31+
signature: "${artifact}.sigstore.json"
32+
args:
33+
- "sign-blob"
34+
- "--bundle=${signature}"
35+
- "${artifact}"
36+
- "--yes"
37+
artifacts: checksum
38+
2939
homebrew_casks:
3040
- name: runware
3141
homepage: https://runware.ai

0 commit comments

Comments
 (0)